The “Warlock” ransomware group has been observed exploiting a vulnerability (CVE-2025-6264) in Velociraptor, a popular digital forensics and incident response (DFIR) tool. The flaw involves incorrect default permissions, allowing attackers to leverage the tool itself to deploy ransomware across the network.
Business Impact
This is a cruel irony: attackers are weaponizing the very tool used to hunt them. Velociraptor has high-level privileges on all endpoints for monitoring purposes. Compromising it gives attackers a “god mode” channel to distribute malware instantly to every managed device.
Why It Happened
A misconfiguration in the default deployment of the Velociraptor server allowed unauthorized API access. Warlock operators identified internet-facing instances and used them as a command-and-control (C2) mechanism.
Recommended Executive Action
If your security team uses Velociraptor, mandate an immediate audit of its configuration. Ensure it is updated, not exposed to the public internet, and that API access requires strong authentication. Treat security infrastructure as your highest-value target.
Hashtags: #Ransomware #Warlock #Velociraptor #DFIR #Vulnerability #SupplyChain #CyberSecurity #InfoSec